Unrestricted Token Usage Posing Risk to Borrowers
Summary
The Lender.sol smart contract allows any ERC20 token to be used as loanToken and collateralToken in the setPool() function. This lack of restriction could expose borrowers to potential risks if a lender uses an unvetted or low-value token.
Vulnerability Details
In the Lender.sol contract, lenders can create loan pools with specific parameters, including loanToken and collateralToken. However, the contract does not restrict which tokens can be used. As a result, a lender could use a low-value or malicious copycat token as the loanToken. A borrower may then be misled into providing valuable collateral for these tokens.
Impact
Without a mechanism to restrict or vet the types of tokens used, borrowers could be misled into providing valuable collateral in exchange for loanTokens of lesser value. This could lead to financial losses for the borrowers and potentially undermine trust in the platform.
Tools Used
Manual code review
Recommendations
It is recommended to implement a whitelist of allowed tokens that can be used as loanToken and collateralToken. The tokens on this whitelist should be vetted for legitimacy and value. This would add a layer of protection for borrowers and prevent potential misuse by lenders.
Thoroughly test the contract with various scenarios to ensure that the token whitelist functions as expected.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.